Re: [Captive-portals] [Last-Call] Opsdir last call review of draft-ietf-capport-api-07

Linda Dunbar <linda.dunbar@futurewei.com> Sun, 10 May 2020 23:18 UTC

Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7B0E3A0C2A; Sun, 10 May 2020 16:18:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.09
X-Spam-Level:
X-Spam-Status: No, score=-2.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K49CMpOSIBH3; Sun, 10 May 2020 16:18:53 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-eopbgr750100.outbound.protection.outlook.com [40.107.75.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCBA93A0C32; Sun, 10 May 2020 16:18:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aLmyW2hB+xlk6DJRqpB9y4wAldlLCdTx6h5p3xAO/cFrDcPr4ZnttDsLUsLteigKvECiCMQsCOmVQ+vHNIw6bSOPWplPnpJbCmF4E4X7+ddVyTQ8O89F+S25reaZHie4z5ZCPCpenaBK3qgl8Dt+sz7/UC2TUPBd6ZRUXcymH1ql4n/F+CKs/dXr8hZ+V2kQoLAGNyBJI6YnWK0QhnrnvVjf+0Pxc3F4Pz6/L7YG2tGM2AsfEUQQU6oMn41VlpDPpc9yBXAxOS6854jBXVnudHqQFTGqCzWFUHQknCjZz9oab/xNecfOkAO9Z/E5VRDXjNTqFQL6dNKa9kOQLr/hIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q+cuoRHtvN0GKi2DpM9ftWUrT2tHvPRqH3Ex3ehD5Yk=; b=ZUwrIgtQVbmAqNWnGlRQWfXEmKlgqYSE+HD36lkG2xd8ijeucceVF+EozCJyxNHjh5AckRblBnyxISu+vyNpj00gZbjlhYtRqx/I87e9Y73EVwcjnWMCjLIEwluxSoKE5SAN9dniRvCxNwyT2foqcS4OWxXSSgFdCedASO1hW78ez10B+BoUtOk2+xiPhO8nuP+DqZfXGMkN3M5P5PEtNahWF/Kw4TzJZqbCRtut0nPXRAjmKTWlACe3X0qGumr9Eb590IlrJUgmFpHDA8eBR2M0a1SlTYfABCj/F7Nx3C6ckW2FkJoRXVL8lj+qwqR3RM4lExHvP1FONymm68g1mA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q+cuoRHtvN0GKi2DpM9ftWUrT2tHvPRqH3Ex3ehD5Yk=; b=ZdqIN1homfUGJ0QQQrG0Kp5J5UtvhCGc2l2bTy+v3JDFXodsCFvvkP4m/q86rY21lutw9DMrl/0MoGQlZjKcTESsnEYUsyGwVVW3YkiM9gubG1GjMvSW/6Ne7c8ozpAGGu5CrkWhjS6kETqIdLVZCXY8cbrWVR4tWXPpT8DuoIg=
Received: from SN6PR13MB2334.namprd13.prod.outlook.com (2603:10b6:805:55::16) by SN6PR13MB2302.namprd13.prod.outlook.com (2603:10b6:805:62::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.11; Sun, 10 May 2020 23:18:48 +0000
Received: from SN6PR13MB2334.namprd13.prod.outlook.com ([fe80::7813:cef6:bbde:1970]) by SN6PR13MB2334.namprd13.prod.outlook.com ([fe80::7813:cef6:bbde:1970%5]) with mapi id 15.20.3000.015; Sun, 10 May 2020 23:18:48 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: Joe Abley <jabley@hopcount.ca>
CC: "ops-dir@ietf.org" <ops-dir@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-capport-api.all@ietf.org" <draft-ietf-capport-api.all@ietf.org>, "captive-portals@ietf.org" <captive-portals@ietf.org>
Thread-Topic: [Last-Call] Opsdir last call review of draft-ietf-capport-api-07
Thread-Index: AQHWJlMZolEdFK06pEuLuUfs9H+voKih9O5A
Date: Sun, 10 May 2020 23:18:48 +0000
Message-ID: <SN6PR13MB2334711D0A2CAAAEFAA988B685A00@SN6PR13MB2334.namprd13.prod.outlook.com>
References: <158906200797.26124.16073204264263445484@ietfa.amsl.com> <9AB2F3DF-0AE7-4ABE-82F3-5FFD7B341D51@hopcount.ca>
In-Reply-To: <9AB2F3DF-0AE7-4ABE-82F3-5FFD7B341D51@hopcount.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: hopcount.ca; dkim=none (message not signed) header.d=none;hopcount.ca; dmarc=none action=none header.from=futurewei.com;
x-originating-ip: [72.180.73.64]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9ca337a7-ade4-43ca-c6ff-08d7f5387ea2
x-ms-traffictypediagnostic: SN6PR13MB2302:
x-microsoft-antispam-prvs: <SN6PR13MB2302D95933274650398B105185A00@SN6PR13MB2302.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 039975700A
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ykHU+ypFTteS42HCWvT2PEAtorap/mPc/x2PLQcwa6XDhQjnEocYUh0OqqdY+cLUnDyKkPw6XOrIc8EKXqoHqJiSEFpPqiVSbVIayNVoLe8aJHc7gX3YfvLnj16gf/RDzOcKDDjP6KLurFrwb7fsQqJToN1zZIDxKhYOdlFjcoMTy6f2n8r9cvqcuylD5AlejQkE0MZDkmyOWc9jfNIsP9Rn4hucUJA6KwmtHsEGbWnCG6yaLUzSyn+3d37/kKlKhh4WiTkeX9gD8yKK1TugHvVfJIwiumsY4WTBp3oqXZGKUYwT9RT7vpXjS6Nyw+EPQ+WbyAbxgxopBGhcrc4SZ5LItwB4edN8tXExAvhvoDMgL926ve+D+T05NmHmN3jaiHXZr1tU7WuDTHJK9lf1SEze+idcdyBx2POmTUnAaxkvLBj2iVLY4nyJJ89NEqTcYL30pcS0TVUevs4NQMXXRg0wr+lNHUljz7m/4TiY6rrJaK6OfWnde7n6CcC35qvQh/6qvPBRDovNQQoHp/yDWQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR13MB2334.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(376002)(396003)(39830400003)(366004)(136003)(33430700001)(64756008)(54906003)(478600001)(316002)(71200400001)(6916009)(66476007)(9686003)(76116006)(44832011)(8676002)(66556008)(66574014)(55016002)(66946007)(8936002)(33440700001)(66446008)(7696005)(26005)(86362001)(2906002)(53546011)(5660300002)(6506007)(186003)(52536014)(4326008)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: VfvIIiOJ+2JeQGDgbQ0ONFeLsyhhczS49Il40sGPRQyhxDtghBEAOzTUkgnApYfAvZYG/8ndpW/1smr/YvDzrLmxzFoE9fWZdeYP/iv8d4npA/tI9xqUcpfIIpUUkb0uwRRSmgx0eK24q7bB7vZSC5AIFtFQM5OU6jPR0KebBpEfGC7VNahZLsdKQJp0+8kIdKZw5ejugqZPXf0VEWP4AR9rHA8LHXM+U41D7kcVfwyXrMYJmzII76SmqUdtJ+EkHXRGELI25//haWZdH2/JW+Wq1TUotljYNVN9TZIr+e0ZCs7OwCRNmjMg/H8R2Dav2vTBsSnuHkTP92uDbhX0rORNll3isXLT4OMS8GVhg53pYJ1Lrxdc5bNb+fMR5n8eaQsxcsnoi9AdEFpSyaVibedtNHjiUwT/5WMoZp5DK6qmfRvw8IG79CTrZN+KT5LUK9riSrm8rmdwhQJKCocnlUHLnc/lZimKFcr3GWuxObc=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9ca337a7-ade4-43ca-c6ff-08d7f5387ea2
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 May 2020 23:18:48.5896 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: D8Op/rapVMSzbIZGJgawxQhEgTyzFBXMR1GrCnVKQ5Ay+ha1quzZCs3X9QmElx5OVqU1u+oCXiVTJnfM/h91PA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR13MB2302
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/N-nGcFOBsA7V7LeuVZoW_LTah5k>
Subject: Re: [Captive-portals] [Last-Call] Opsdir last call review of draft-ietf-capport-api-07
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 May 2020 23:18:56 -0000

Joe and Tommy, 

Thank you very much for the explanation. They are very helpful. I don't recall those useful information when I  glanced through the draft-ietf-capport-architecture. IMHO, those information would be useful to be added in the Introduction section. 

Linda


-----Original Message-----
From: mjabaut@mail.hopcount.ca <mjabaut@mail.hopcount.ca> On Behalf Of Joe Abley
Sent: Saturday, May 9, 2020 5:42 PM
To: Linda Dunbar <linda.dunbar@futurewei.com>
Cc: ops-dir@ietf.org; last-call@ietf.org; draft-ietf-capport-api.all@ietf.org; captive-portals@ietf.org
Subject: Re: [Last-Call] Opsdir last call review of draft-ietf-capport-api-07

Hi Linda,

On 9 May 2020, at 18:06, Linda Dunbar via Datatracker <noreply@ietf.org> wrote:

> Reviewer: Linda Dunbar
> What improvement does the proposed API have over today's existing 
> communication between clients and  Captive Server(s)? Captive servers 
> have been deployed everywhere, like airport or restaurants trying to 
> access free WIFI. What problems does the existing method have to justify this newly proposed APIs?

I have no involvement with this architecture apart from being an enthusiastic cheerleader on the sidelines, but it seems to me that none of the existing captive environments you mention have anything resembling a structured, machine-readable interface. So this is not a newly-proposed API so much as the first and only example of a standard API we have for this at all.

Existing mechanisms rely upon devices being configured in a particular way (e.g. DNSSEC validation disabled, DHCP-provided DNS server being used, DoH/DoT disabled), they rely upon users using particular applications to trigger an interaction to escape the captive environment (e.g. a browser), they provide no clear indication to client software that a captive portal exists, leaving the client to try to infer whether the network is simply broken or whether it is encumbered and it's rare that two such environments you encounter on any particular day act the same. They also often trigger certificate warnings in software like calendars and mail readers that I have seen users click OK on, imagining that they are gaining access to the network by doing so, whereas in fact they are just facilitating an on-path attack on TLS so that their credentials can be stolen.

While some widely-used devices have come to be accommodated more elegantly than others through simple market dynamics (e.g. giving iPhone users a smooth experience reduces support costs and increases revenue) the general experience is, putting it mildly, horrific, wildly inconsistent and hostile to users.

The companion architecture document draft-ietf-capport-architecture-07 contains a brief description of some common components of existing mechanisms in its appendix A, but I think the variety deployed in the world is wide enough that it's reasonable for that document not to try go into any more detail. In any case I don't think this document (draft-ietf-capport-api-07) needs any such narrative; I think the architecture document is a better place for it.

[Having been so rude about existing mechanisms, I will mention wistfully that I do very much look forward to the day when I can be horrified by wifi in airports and coffee shops again.]


Joe